CISA directive establishes tight patching deadlines
US federal agencies have been ordered to establish a system for rapidly patching hundreds of known, exploited vulnerabilities.
A directive from the Cybersecurity and Infrastructure Security Agency (CISA) requires federal agencies to review and update vulnerability management procedures within 60 days.
They will each be required to “establish a process for ongoing remediation of vulnerabilities that CISA identifies”, focusing on a catalog of security flaws known to be under active attack.
Rapid remediation effort
In cases where a patch was released last year or earlier and a related vulnerability is being exploited in the wild, agencies have a six-month deadline to complete patching.
“All other vulnerabilities” (ie flaws with a CVE issued this year) need to be boxed off within two weeks in what’s set to become an ongoing rapid remediation effort. “These default timelines may be adjusted in the case of grave risk to the Federal Enterprise,” the CISA’s directive states.
A catalog of known exploited vulnerabilities maintained by the CISA already runs to 300 items or so, including a few dozen discovered this year and several older exploited vulnerabilities dating back as far as 2016.
Tackling this to-do list seems sure to involve a great deal of work in security triage, patching, and remediation at multiple agencies in the run-up to Christmas. The directive also introduces tighter internal tracking and external reporting requirements, a recipe for plenty of overtime for federal sysadmins and their managers in the new year.
The order applies to all software and hardware found on federal information systems, whether managed internally or hosted by third parties – an important consideration when government agencies, much like mainstream businesses, rely heavily on the cloud, outsourcing, and managed services.
Where SolarWinds blow
The program is aimed at improving the security posture of US government agencies in the wake of the infamous SolarWinds supply chain attack.
Attackers suspected of working for Russian intelligence compromised the update mechanism of Orion, SolarWinds’ enterprise network management software, and used this to plant malware on the systems of a subset of customers, with US federal agencies among those targeted.
It’s not the first time federal government systems in the country have been successfully attacked. For instance, the US Office of Personnel Management data breach infamously exposed the records of 20 million government employees, including Social Security numbers and much more, back in 2015.
Bug Bounty foundations
News of the Biden order marks the latest step in the US government’s ongoing strategy of improving its security posture.
Recent years have witnessed the launch of the ‘Hack the Pentagon’ and ‘Hack the Army’ series of bug bounty events.
In a further attempt at protecting its immense attack surface, the US government launched its first federal civilian security vulnerability disclosure program in partnership with Bugcrowd in June.
It has also tasked the US National Institute of Standards and Technology (NIST) with creating guidelines that will guide the federal government’s approach to software procurement and security.